CVE-2026-47428

vitest-dev · vitest

A cross-site scripting vulnerability in Vitest Browser Mode allows attackers to inject malicious JavaScript and steal sensitive API tokens via crafted URLs.

Executive summary

A critical cross-site scripting vulnerability in Vitest Browser Mode allows attackers to execute arbitrary code and exfiltrate authentication tokens.

Vulnerability

The browser runner improperly handles the otelCarrier query parameter, which is injected directly into an inline script. This allows an unauthenticated attacker to execute arbitrary JavaScript in the context of the Vitest server origin.

Business impact

With a CVSS score of 9.6, this vulnerability poses a severe threat, as it enables the theft of the VITEST_API_TOKEN. Compromise of this token may grant an attacker the ability to perform authenticated actions against the Vitest API, leading to further unauthorized access or manipulation of testing environments.

Remediation

Immediate Action: Update the vitest package to version 4.1.6, 5.0.0-beta.3, or later.

Proactive Monitoring: Monitor access logs for anomalous browser-runner URL requests containing unexpected query parameters or script-like characters.

Compensating Controls: Utilize a Content Security Policy (CSP) to restrict script execution and prevent the loading of malicious resources in the browser environment.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability presents a significant risk to the integrity of the development environment. Administrators must ensure all Vitest installations are updated to the fixed versions to prevent potential token theft and cross-site scripting attacks.